Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Stephen Farrell <> Tue, 25 August 2015 22:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3B0551A0049 for <>; Tue, 25 Aug 2015 15:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W76ww8xYhiHy for <>; Tue, 25 Aug 2015 15:17:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BBB771A1B5D for <>; Tue, 25 Aug 2015 15:17:07 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E130BE64; Tue, 25 Aug 2015 23:17:06 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RtXb5VqKVEJt; Tue, 25 Aug 2015 23:17:05 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id D39C6BE5D; Tue, 25 Aug 2015 23:17:04 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1440541024; bh=tRapxTdZxm5LQYpEvfzG7go5t5rvvmDS7bfNV06FTmo=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=GPD74Mb6XWzNDnlpx+hm1CB0E5IdeFGQpXpCvEMBT88TJA4WVmdKRuLeO6VFLVfy7 +y/v6Ia7/jeYEsNZmDvCkP4LlhAbeb0nS+F2fcD96jm6NpN446BytSOspK8jLVHJmd RGzAPgsE3YAmfiWqa7P0Fiw9Zp9hbT2/tyEBsfRk=
Message-ID: <>
Date: Tue, 25 Aug 2015 23:17:04 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Yoav Nir <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: Security Area Advisory Group <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 22:17:11 -0000

On 25/08/15 23:04, Yoav Nir wrote:
> It depends on what that capable attacker is trying to do. If this
> adversary is attacking *your* communications, you’re right. If the
> adversary is attempting pervasive monitoring, this stage almost never
> comes. If every TCP connection today was encrypted with DES a capable
> attacker could decrypt any connection but not every connection. They
> couldn’t even decrypt 1% of all connections. So against an adversary
> engaging in pervasive monitoring, even single DES is significantly
> better than cleartext.

Mostly fair point, though one might speculate as to whether RC4
may end up easier than single DES. (Actually, do we have any good
information about that? I guess there aren't many publications on
the relative weaknesses of weak ciphers.)

But it's also the case that OS aims to protect against passive
attacks and to force the adversary to be active. That property
of OS should still apply even if we're only talking about 1% or
0.0001% of all traffic and is lost if we have a somewhat patient
adversary who has enough meta-data to decide how to spider
through a large trove of weak ciphertext, which seems likely to

So yes, very weak ciphers are still better than plaintext when
we consider easily searching the entire cache of recorded data,
but that is not the only property we want when applying the
OS design pattern. Being secure against a passive targeted
attack for as long as the application traffic remains sensitive
is also a goal of OS, I think. (Note: I'm not saying we can
be sure of that, but it is a goal.)


PS: Even if we don't reach a snappy new statement of how OS
and weaker crypto play together, I think this discussion is
useful, for me at least.